modules: mbedtls: add new helper symbol PSA_CRYPTO_PROVIDER

The goal of new Kconfig PSA_CRYPTO_PROVIDER is to automatically enable
any of the PSA Crypto API provider available for the platform without
having the user to manually pick the proper one. This provider can be
either TF-M, if that's enabled in the build, or Mbed TLS otherwise.

PSA_CRYPTO_PROVIDER simplifies also modules/subsystem Kconfigs removing
blocks as:
	select MBEDTLS if !BUILD_WITH_TFM
	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM

Kconfig PSA_CRYPTO_PROVIDER_CUSTOM is also added to allow the end user
to add a custom implementation of PSA Crypto API instead of TF-M or
Mbed TLS ones.

Signed-off-by: Valerio Setti <[email protected]>

Author: valeriosetti

doc/releases/release-notes-4.3.rst

@@ -70,6 +70,11 @@ Deprecated APIs and options
 New APIs and options
 ====================
 
+* :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER` allows to automatically select a PSA Crypto API
+  provider based on the current board capabilities. TF-M and Mbed TLS are the only options available
+  for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_CUSTOM` to use
+  a custom solution.
+
 ..
   Link to new APIs here, in a group if you think it's necessary, no need to get
   fancy just list the link, that should contain the documentation. If you feel

drivers/bluetooth/hci/Kconfig

@@ -158,8 +158,7 @@ config BT_SILABS_EFR32
 	depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS
 	depends on !PM || SOC_GECKO_PM_BACKEND_PMGR
 	select SOC_GECKO_USE_RAIL
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO_PROVIDER
 	select MBEDTLS_ENTROPY_C
 	select HAS_BT_CTLR
 	select BT_CTLR_PHY_UPDATE_SUPPORT

drivers/bluetooth/hci/Kconfig.esp32

@@ -487,12 +487,11 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
 	bool "mbedTLS crypto stack"
 	depends on ESP32_BT_LE_SECURITY_ENABLE
 	default y
-	select MBEDTLS
+	select PSA_CRYPTO_PROVIDER
 	select MBEDTLS_ECP_C
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_PSA_CRYPTO_C
 	help
 	  Use mbedTLS library for BLE cryptographic operations.
 

modules/hostap/Kconfig

@@ -204,7 +204,7 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	imply MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO_PROVIDER
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC

modules/mbedtls/Kconfig.psa.logic

@@ -1,8 +1,37 @@
 # Copyright (c) 2024 BayLibre SAS
 # SPDX-License-Identifier: Apache-2.0
 
-# This file extends Kconfig.psa (which is automatically generated) by adding
-# some logic between PSA_WANT symbols.
+config PSA_CRYPTO_PROVIDER
+	bool "PSA Crypto API provider"
+	help
+	  Enable a PSA Crypto API provider in the build. If TF-M is enabled then
+	  it will be used for this scope, otherwise Mbed TLS will be used.
+
+choice PSA_CRYPTO_PROVIDER_IMPL
+	prompt "PSA Crypto API provider options"
+	depends on PSA_CRYPTO_PROVIDER
+	default PSA_CRYPTO_PROVIDER_TFM if BUILD_WITH_TFM
+	default PSA_CRYPTO_PROVIDER_MBEDTLS
+
+config PSA_CRYPTO_PROVIDER_TFM
+	bool "Use TF-M"
+	depends on BUILD_WITH_TFM
+	select TFM_PARTITION_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_MBEDTLS
+	bool "Use Mbed TLS"
+	depends on !BUILD_WITH_TFM
+	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+
+config PSA_CRYPTO_PROVIDER_CUSTOM
+	bool "Use a custom library"
+	depends on !BUILD_WITH_TFM
+
+endchoice # PSA_CRYPTO_PROVIDER
+
+# The following section extends Kconfig.psa (which is automatically generated)
+# by adding some logic between PSA_WANT symbols.
 
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 	bool

modules/uoscore-uedhoc/Kconfig

@@ -5,7 +5,6 @@ menuconfig UOSCORE
 	bool "UOSCORE library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 
 	help
@@ -22,7 +21,6 @@ menuconfig UEDHOC
 	bool "UEDHOC library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 	help
 	  This option enables the UEDHOC library.
@@ -38,7 +36,7 @@ if UOSCORE || UEDHOC
 
 config UOSCORE_UEDHOC_CRYPTO_COMMON
 	bool
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO_PROVIDER
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

samples/net/sockets/http_server/Kconfig

@@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT
 config NET_SAMPLE_HTTPS_SERVICE
 	bool "Enable https service"
 	depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO_PROVIDER
 
 if NET_SAMPLE_HTTPS_SERVICE
 

samples/subsys/mgmt/updatehub/overlay-psa.conf

@@ -1,3 +1,2 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO_PROVIDER=y

subsys/bluetooth/crypto/Kconfig

@@ -3,8 +3,7 @@
 
 config BT_CRYPTO
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO_PROVIDER
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CMAC
 	select PSA_WANT_ALG_ECB_NO_PADDING

subsys/bluetooth/host/Kconfig

@@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT
 config BT_HOST_CRYPTO
 	bool "Use crypto functionality implemented in the Bluetooth host"
 	default y if !BT_CTLR_CRYPTO
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO_PROVIDER
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	help
@@ -1041,8 +1040,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO_PROVIDER
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT